Presentation is loading. Please wait.

Presentation is loading. Please wait.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

Published byKaren Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi."— Presentation transcript:

1 G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie Mellon University

2 DARPA SRS Kickoff2 Nice Meeting Facility!

3 DARPA SRS Kickoff3 What Is The Problem? Many machines with the same vulnerability What is a vulnerability? A vulnerability is a fault in the classic sense of dependability theory Fault types: Degradationsomething breaks in one copy Designflaw in design affects all copies Software faults are design faults

4 DARPA SRS Kickoff4 Redundancy & Degradation Faults Computer 1 Computer 2 Computer N InputsVoterOutputs Damage Assessment State Restoration Error Detection Continued Service N Modular Redundant (NMR) System Identical Computers

5 DARPA SRS Kickoff5 Redundancy & Design Faults Redundancy is diversity Works well for degradation faults: Faults have predictable statistical behavior Effective mathematical models available What about design faults? Simple replication doesn’t work, obviously Requires different (diverse) designs to be effective

6 DARPA SRS Kickoff6 Multiple Systems LinuxWindowsOS/2 Specification Vulnerabilities

7 DARPA SRS Kickoff7 Design Diversity Development Version Development 1 System Assembly Component Specification Version Development 2 Version Development N Interaction Barriers Goal: Different Faults Because Of Independent Development Technology Restrictions

8 DARPA SRS Kickoff8 Design Diverse System Version 1 Version 2 Version N InputsVoterOutputs N Version System How “Different”? Assumption: Different Faults Because Of Independent Development

9 DARPA SRS Kickoff9 Design Diversity Does not work well for design faults No upper bound on failure probability No practical statistical models No definition of “design diversity” No procedure for achieving it Linux vs. Windows is, however, worse—it is purely ad hoc But, what else is there?

10 DARPA SRS Kickoff10

11 DARPA SRS Kickoff11 Data Diversity Heisenbug (Jim Gray): Program fails Sometimes if you rerun the program, it works Applied to Tandem operating system We all do this in daily operation Several variants of approach developed Comprehensive, general approach developed: Data diversity

12 DARPA SRS Kickoff12 Data Diverse System Copy 1 Copy 2 Copy N InputsVoter N Copy Architecture Data Reexpression Reverse Data Reexpression Same Software Reverse Data Reexpression

13 DARPA SRS Kickoff13 Data Diversity Low cost—software is copied Unknown performance for design faults Experimental evidence that it works well Can be very powerful: sin(x)=sin(a + b) =sin(a)cos(b) + cos(a)sin(b) =sin(a)sin(90-b) + sin(90-a)sin(b) Choose a and b, repeat, vote

14 DARPA SRS Kickoff14 The Vision Automated production of design-diverse, functionally-equivalent software Automatic production of data-diverse, functionally-equivalent software It might work…

15 DARPA SRS Kickoff15 Overall Approach Analysis of the diversity space Automated production of functionally-equivalent software and data: Compiler and meta-compiler technology: Source-level transformations Compiler transformations Data stream rewriting Virtual Machine Technology Run-time software translation techniques Rationale that diversity is an effective defense mechanism: Experimental evaluation Modeling of effects of diversity on known vulnerabilities Application to COTS software

16 DARPA SRS Kickoff16 Hierarchic Design Diversity Run-time Transformations

17 DARPA SRS Kickoff17 Source to Source Transformations Underlying model of tasks: e.g. fork/execs vs. threads Process interaction: e.g. low-level semaphores vs. higher-level monitors Fundamental libraries: e.g. libc, sockets, etc… Diversity achieved by component combinations

18 DARPA SRS Kickoff18 Compiler Transformations Generate N compilers that target different architectures Manipulate formal description of target architecture—Computer Systems Description Language (CSDL): Instruction Set Architecture (ISA) specification Calling convention specification Example diversity techniques: Different calling conventions ISA subsets created, enforced dynamically Memory layouts—code and data Implement the above within the same program

19 DARPA SRS Kickoff19 Run-time Transformations Software Dynamic Translation STRATA system: Layer between hardware and application Designed to be easily retargeted Virtual machine provides: Underlying target Supplementary rules on use of target Software Dynamic Translation systems : FX 32 Dynamo Transmeta

20 DARPA SRS Kickoff20 STRATA—Basic Operation Enforce Desired Policies

21 DARPA SRS Kickoff21 Example STRATA Policies Apply compile-time transformations dynamically: Rearrangement basic blocks, calling sequence transformations, etc… Dynamic injection and enforcement of behavioral policies E.g. resource usage (files, sockets, tasks) Language diversity: dialects Only allow subsets of original instruction set Vary subsets dynamically

22 DARPA SRS Kickoff22 STRATA System Architecture Machine Independent Components

23 DARPA SRS Kickoff23 Data Diversity Diversity in the data space can avoid sequences of events that lead to failure Diversity space offers large range of data re-expression options Precision (Exact, Approximate) Locality (Internal, External) Sequence (inorder-ontime, inorder-offtime, outoforder- ontime, outoforder-offtime)

24 DARPA SRS Kickoff24 Data Re-expression Examples Change floating point values: Lose precision Translate Rotate Data sequences: Reorder data Change timing of data Memory layout (code and data) Reorder transactions Reorder data in activation records SQL Rewriting …many more examples…

25 DARPA SRS Kickoff25 Data Re-expression Space These examples are ad hoc Proposals in literature are ad hoc So: Use data re-expression space categorization to drive exploration of diversity techniques (instead of point solutions)

26 DARPA SRS Kickoff26 Evaluation Theoretical: Modeling of effects of diversity on network vulnerabilities E.g., WORM propagation Understand limits of diversity Categorization of “diversity space” Identify unnecessary homogeneity in software Not just code but also environment, configuration, etc… Experimental: Directed fault seeding: Apply known exploits to target system Apply all Genesis techniques Evaluate variants’ resistance to attack Automated fault seeding

27 DARPA SRS Kickoff27 Automatic Fault Seeding Need test cases Need typical vulnerabilities, i.e., bugs Can typical bugs be synthesized? Prior work on syntactic transformations: Simple mutations Wide variety of resilience Defects created with excellent statistical properties Plan to try this route

28 DARPA SRS Kickoff28 Automated Fault Seeding Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Acceptance Tests Error Seeding Genesis Transformations Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Vulnerability Assessment

29 DARPA SRS Kickoff29 State Of The Implementation Exists, ready to use: CSDL Calling convention spec STRATA

30 DARPA SRS Kickoff30 Specific Questions Posed What you are trying to do (the problem you are addressing)? How will you show that you were successful? What are the implications of successful results (or less than successful results)? What is your technical approach? What is new, or hasn’t been attempted? What significant problems do you anticipate, what makes your project difficult and how do you plan to approach the difficulties? If successful, what have you thought about regarding transitioning the technology? If successful, what would be next?

31 DARPA SRS Kickoff31 Practical Problem If this works: Building a system will require lots of computer time Lots of systems will require LOTS of computer time But it is just computer time Will not be able to just press CDs Will require a substantial engineering investment

32 DARPA SRS Kickoff32 Summary Automatic application of design diversity: Macro, midi, micro Systematic application of data diversity: Internal, external, all dimensions Seamless integration of the two Evaluation and assessment: Directed fault seeding Automated fault seeding Questions?

Download ppt "G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi."

Similar presentations

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.
Configuration management

Configuration management
Configuration management

Configuration management
Design of Experiments Lecture I

Design of Experiments Lecture I
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Lightweight Abstraction for Mathematical Computation in Java 1 Pavel Bourdykine and Stephen M. Watt Department of Computer Science Western University London.

Lightweight Abstraction for Mathematical Computation in Java 1 Pavel Bourdykine and Stephen M. Watt Department of Computer Science Western University London.
The Architecture Design Process

The Architecture Design Process
CS189A/172 - Winter 2008 Lecture 7: Software Specification, Architecture Specification.

CS189A/172 - Winter 2008 Lecture 7: Software Specification, Architecture Specification.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Zephyr By Shannon Poskus. What is Zephyr? Zephyr is one of two components of the National Compiler Infrastructure (NCI) project Co-funded by DARPA and.

Zephyr By Shannon Poskus. What is Zephyr? Zephyr is one of two components of the National Compiler Infrastructure (NCI) project Co-funded by DARPA and.
Architectural Design Principles. Outline  Architectural level of design The design of the system in terms of components and connectors and their arrangements.

Architectural Design Principles. Outline  Architectural level of design The design of the system in terms of components and connectors and their arrangements.
Developing Dependable Systems CIS 376 Bruce R. Maxim UM-Dearborn.

Developing Dependable Systems CIS 376 Bruce R. Maxim UM-Dearborn.
Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.

Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.
Educational Computer Architecture Experimentation Tool Dr. Abdelhafid Bouhraoua.

Educational Computer Architecture Experimentation Tool Dr. Abdelhafid Bouhraoua.
March 24, 2003Upadhyaya – IWIA 20031 A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

Similar presentations

Ads by Google